Assertion/Authenticate doesn't work on Edge (Windows Build 1809) using Windows Hello PIN

[ivkina]

You can register new credential (through Windows Hello PIN/Camera/FingerPrint) but Authenticate doesn't work displaying "error occurred during assertion request. I debugged it on server Java side code and it looks like it fails in com.google.webauthn.gaedemo.server.Server class -> if (!Crypto.verifySignature(publicKey, signedBytes, assertionResponse.getSignature(), signatureAlgorithm)) { throw new ServletException("Signature invalid"); }

Basically, Crypto.verifySignature signature returns false. Further debugging into Java native crypto code indicates javax.crypto.badpaddingexception error. Again, this happens only when using Edge (Windows Build 1809) and Windows Hello Credentials (PIN, fingerprints, camera). It works on Edge, same Windows Build 1809 when using USB Yubico key.

Microsoft has its own demo of webauthn - https://github.com/MicrosoftEdge/webauthnsample and https://webauthnsample.azurewebsites.net. It works just fine with both USB/Yubico/feitian (cross-platform) and Windows Hello (platform) authenticators. Please, advice if you support Windows Hello authenticators and if yes, then how to fix this issue.

Thanks, Aleksey alekseyivkin@deltek.com

[kpaulh]

Are you still seeing this issue? I was unable to reproduce - Windows Hello credentials on Edge worked for me.

[ivkina]

Windows Hello credentials can be registered in Edge but we are getting assertion error when trying to sign-in/authenticate. Please, see detailed steps here: .. Just uploaded a pdf file on google drive.

Please, confirm if you observe same behavior.

Thanks, Aleksey alekseyivkin@deltek.com

[ivkina]

The link to PDF file with exact steps for replication: https://drive.google.com/file/d/1bl8hwSX-mwc84XqaIOlv0mQmt0ITWn1y/view?usp=sharing

[kpaulh]

Thanks for the additional details, and I'm experiencing the same behavior. This seems to be a problem processing RS256 signatures. Casey, can you take a look?

[ivkina]

Hi...Is there any fix available for this problem? Thanks

[ivkina]

Just retested the latest code here and still getting this error during assertion for windows 10 hello credentials. Thanks

[cpiper]

Hi, I haven't been able to root cause this yet. I'll see if I can find time to fix it soon.

[ivkina]

Just as an fyi... we showed FIDO 2.0 implementation for the set of Deltek products (deltek.com) at our annual users conference that was in Nov, 2108 and customers were excited. Though everyone indicated that support for Windows Hello authenticators is a must since you don't have to spend $ on FIDO devices, it is easier to adopt, face recognition, fingerprints, pin, built-in support, etc. So it is certainly a problem and a priority fix for us. Without Windows Hello being supported this functionality is a bit useless:(((

Again, there should be something simple here, some disconnect with how Windows 10 TPM encrypts and builds a signature using RSA vs. how you decrypt and verify it in Java. Could be an issue with some extra padding or space or text is not normalized properly before decryption or something like that.

Microsoft has its own demo of webauthn - https://github.com/MicrosoftEdge/webauthnsample and https://webauthnsample.azurewebsites.net. It works just fine with both USB/Yubico/feitian (cross-platform) and Windows Hello (platform) authenticators. I also checked their Node.js source code and it is very similar (if not the same) to what you are doing. The only difference is native encrypt/decrypt implementation for RSA signatures.

Thanks, Aleksey alekseyivkin@deltek.com

[cpiper]

This should now be resolved. Sorry for the delay.

[ivkina]

Verified and it works perfect! Thank you very much!